ENABLING FILE AND FOLDER ACCESS AUDITING ON WINDOWS SERVER 2008 AND 2008 R2

Step 1: Enable File and Folder auditing

Enabling File and Folder auditing

It can be done in two ways :
a) Through Group Policy (for Domains, Sites and Organizational Units)
b) Local Security policy (for single Servers)

Step 2: Enable auditing for object access

To enable auditing for object access on a MS Windows Server 2008, follow these steps :

A) Open Group Policy Management Console.
B) Go to the concerned domain and expand the node against it
C) Go to the Group Policy Objects and right – click on it
D) Select New from the popup menu
E) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok’
F) Right-click on the newly created GPO and select ‘Edit’ from the pop-up menu
G) The Group Policy Management Editor window opens up
H) Go to Computer Configuration ? Policies ? Windows Settings ? Security Settings ? Local Policies ? Audit Policies
I) In the right-pane, the list of all policies is displayed

(i) Audit Account Logon Events
(ii) Audit Account Management
(iii) Audit Directory Service Access
(iv) Audit Logon Events
(v) Audit Object Access
(vi) Audit Policy Change
(vii) Audit Privilege Use
(viii) Audit Process Tracking
(ix) Audit system Events

J) Go to the policy for which you want to define settings. If you define settings for all policies, a lot of logs will be generated
K) Double-click on the policy for which you want to define the settings
L) In the Properties dialog box that opens up, select Success/Failure or both
M) Click on ‘Ok’ to close the window
N) Next, you need to apply this policy on the DC. Go to RUN command and type: gpupdate/force/boot/logoff and click ‘Ok’
O) Gpupdate command prompt opens up and a message is displayed: “Updating Policy …”

Step 3: Select specific Folder and define Users

After the policy has been applied, the next thing is to select Files and Folders and which Users’ actions are to be audited

To select specific Folder and define Users, follow these steps :

a) Go to Windows Explorer
b) Right-click on it and select Properties
c) In the Properties dialog box, select the Security tab and click on ‘Advanced’
d) In the Advanced Security Settings dialog box, select the Auditing tab
e) Click on the ‘Add…’ button.
f) In the Select User or Group dialog, enter names of Users whose accesses are to be audited
g) Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’
h) Auditing Entry for Accounts dialog box opens up
I) Select the type of accesses to be audited. Successful access/Failed access or both can
be selected
j) Click ‘Ok’ and ‘Apply’ to save the settings

From this point onwards, all the access attempts to this particular folder by all Users would be recorded on the DC. To view these event logs use Windows event viewer.

https://community.spiceworks.com/how_to/122828-how-to-enable-file-and-folder-access-auditing-on-windows-server-2008-and-2008-r2

https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Enable_File_Auditing_in_Windows

Mark as helpful. 0

Posted in: Server